xqueue
v1.0.5File-based X/Twitter post scheduler. Drop tweets into day/time folders, they post automatically. No frontend, no app — your file system is the UI.
⭐ 0· 565·1 current·1 all-time
byMei Park@meimakes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (file-based X post scheduler) match what the code and SKILL.md do: create folder structure, read .md files, post to X via OAuth1, upload media, and log actions. Required binaries (python3) and pip deps (requests, requests-oauthlib) are appropriate and expected.
Instruction Scope
SKILL.md instructs running the included scripts (setup + cron-runner). The code only reads/writes the xqueue folders, a posted.log, and a notifications.log in ~/.openclaw — all described in metadata. It accesses credentials (env or macOS keychain) which is necessary to call X APIs. There are no instructions to read arbitrary user files or exfiltrate data to unrelated endpoints.
Install Mechanism
No install spec (instruction+code only). The skill ships Python scripts and expects the user to run them; nothing is downloaded at install time and no third‑party installers or remote archives are used.
Credentials
Requested environment variables are the four standard X/Twitter OAuth credentials needed to post: X_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET. The optional macOS keychain fallback uses the local 'security' utility to read credentials — consistent with the fallback behavior. No unrelated secrets or external API keys are requested.
Persistence & Privilege
Skill is not marked always:true and does not attempt to persist itself or modify other skills. It makes a best-effort notification call to the OpenClaw CLI (openclaw wake) and writes to its own notification/log files only. No elevated privileges or cross-skill config modifications are present.
Assessment
This skill appears to do exactly what it says: run the included Python scripts on a cron schedule to post files from a folder tree to X. Before installing/running: 1) protect the four X API credentials (they allow posting as your account); prefer environment variables or a secure keychain entry; 2) be aware deleteAfterPost is true by default (files are removed after posting); enable dry-run initially to verify behavior; 3) the script uses the macOS 'security' command as an optional keychain fallback and may call the local 'openclaw' CLI for notifications if available — if you don’t want that, don’t install/run the OpenClaw CLI and/or remove that notification call; 4) review cron setup and the configured xqueue path to ensure files live where you expect. Other than those operational considerations, there are no incoherent permissions, unexplained network hosts, or unexpected persistence behaviors.Like a lobster shell, security has layers — review code before you run it.
latestvk978gzce9hx1sd78hqp6pnksgs83qffe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvX_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET